Once you've laid the foundation, you're ready to tackle the task of securing the doorways into and out of your network. We call this the network perimeter, which begins with your Internet gateway router. Since most external attacks pass through the gateway, securing it properly will keep out many bad things, from malicious code like Trojan horses, viruses, and worms to more benign annoyances like inappropriate Internet content or spam.

Your first big security decision comes when signing up with an ISP: You must decide whether to select IP addresses on a public subnet, private addresses with Network Address Translation (NAT), or some combination of the two. For those using private addresses and NAT, only your gateway router will have a publicly visible Internet address; internal machines are assigned private addresses, such as 192.168.x.x, that aren't visible on the Internet at large. (The router keeps track of which internal machines are communicating with the external world and translates addresses and forwards packets accordingly.)

NAT affords some level of protection from attacks initiated outside your company, because the machines behind your gateway aren't directly addressable (they can't be seen, in other words). At the same time, though, NAT creates the need to use some tricks for allowing valid outside users access to your internal network and mail servers; we discuss these tricks next.

Understand the trade-offs of the various IP-addressing options. ISPs usually offer a choice of IP address options for business users. Small businesses are typically assigned a handful of static (public) IP addresses, and they use NAT (as well as a router) to share the addresses dynamically (thus making them moving rather than fixed targets) and run the hosts, devices, and users on their networks. Alternatively, you can fall back on the traditional, more expensive route of purchasing an entire subnet of fixed addresses to support each network node.

Use a single IP address and NAT if that will do the job. This is the simplest solution. But what if you need to run servers that the external world can see? Even with NAT and a single IP address, you can still deploy a few internal machines, such as e-mail and Web servers. But if the IP address you are assigned is truly dynamic, you will need to use a dynamic DNS service so external users can find and connect to nodes on your network at all times. If you rely on dynamic IP addressing across your network, the IP addresses of your various nodes, including your VPN gateway, will change regularly too.

While NAT is the simplest solution, and the one we usually recommend, it won't work for every small business. If you plan to use sophisticated multimedia or collaboration tools with complex protocols, NAT, and more specifically the router that runs it, will fall flat. Point-to-point applications, including some Voice over IP (VoIP), Web conferencing, and videoconferencing solutions just won't work correctly over NAT. Also, a single IP address won't be sufficient for companies that have multiple Web servers or other server applications deployed for external use. You simply run out of options with NAT and may need to resort to buying a subnet of fixed addresses.

Deploy internal servers securely using port forwarding. This process involves opening only select ports for specific types of traffic, a method often referred to as opening pinholes. If you're using NAT, you have a choice of two techniques for providing external users with access to internal servers: port forwarding or IP address mapping.

Port forwarding is secure because it provides only the specific access required and nothing more. You can, for example, establish a pinhole that forwards an HTTP request on port 80 to a designated Web server on your internal network. You can also use port forwarding to provide inbound SMTP and POP3/IMAP4 access to an internal mail server. For instance, an administrator can configure an entry for a specific inbound port, such as port 25 for SMTP, and forward it to a target server, in this case the mail server, inside the network.

If you're running a variety of services on a single server, you could instead use IP address mapping to forward all the traffic coming from the Internet to that server. We generally discourage address mapping because you risk opening up access to ports that aren't truly neededports that can be used by outsiders to compromise those machines.

Enhance security with a DMZ. Even with the protection provided by NAT, you can benefit from the added security of a DMZ (demilitarized zone). A DMZ lets you place servers in a publicly accessible location that's isolated from the remainder of your internal network. That way, if one of those computers is compromised, the consequences are much less dire than they otherwise might be. If, for example, a Web server within your network and not in a DMZ is somehow compromised by a hacker or a Trojan horse, the situation becomes perilous. Since that machine is located in an area normally available only to trusted users, accessing Windows file shares or other sensitive information might be possible. If, on the other hand, it's isolated in a DMZ, that server will have no privileged access beyond the DMZ.

To deploy servers in a DMZ, the network device you choose must explicitly support a DMZ either with a designated DMZ Ethernet port or using VLANs (virtual LANs). For example, the ServGate appliance (see review on this page) provides a separate DMZ port where you put your Web servers. You just provide a pinhole or IP address map through to the servers in your DMZ.

Use a stateful packet inspection (SPI) firewall. If you've opted to trade the security of NAT for the convenience of a public subnet, then anyone anywhere on the Internet can reach your machines. So it's essential to use an SPI firewall that directly supports the protocols you plan to use. NAT alone just isn't enough; small businesses should have firewall protection as well.

Most inexpensive routers have only rudimentary stateful inspection or packet filters. These are insufficient if you run complex multimedia applications on your network, especially those employing combinations of TCP and UDP ports. To protect your network under such conditions, you'll also need a comprehensive firewall, like the ones found in Astaro Security Linux 5 or the ServGate EdgeForce M30.

You never want to open UDP holes permanently, as this is a huge invitation for attack. For example, H.323 videoconferencing solutions, VoIP systems, and the new H.264 video protocol often use a combination of TCP and UDP ports. While some products can back off to HTTP or a single TCP port if necessary to traverse a firewall, they will often perform better when streaming over UDP.

Standard configuration procedure for firewalls is to begin by denying everything and then adding back rules that permit truly necessary port pass-through for inbound and outbound access. Most companies allow all traffic on all ports emanating from inside the network, but make only specific ports available for inbound traffic destined for servers.

Minimize remote-access requirements. Remote access requires striking a balance between usability and security, creating a challenge for security-conscious companies. If your remote users need access only to e-mail and a Web server, consider whether you really need any additional remote access at all, since your users' e-mail clients and browsers already provide the access they need. (In cases where e-mail and Web security are crucial, you can use application-level security such as S/MIME for secure e-mail and SSL for secure Web sessions.)

If remote file, application, or desktop access is truly required, you can consider rolling out remote-control solutions like Symantec's pcAnywhere or Citrix Online's GoToMyPC. These solutions are easy to use and even work across dynamic NAT deployments. Both provide managed solutions, so administrators can control remote-access sessions and security.

But remember that providing full access to people and machines outside your network can be dangerous. Strong password policies and ongoing monitoring of reports and usage should be mandatory here.

Those overseeing small-business networks will probably want to avoid the IPsec VPNs that are included with many gateway devices. Granting end-user remote access through the use of these devices is usually too complex for small-business network administrators. SSL VPNs are easier to use and administer but remain comparatively expensive for small to midsize businesses. But some solutions, such as those from Check Point enKoo and Juniper Networks, are beginning to target smaller companies.

Read More

About the Author

Rob Lipschutz is PC Magazine's Lead Analyst for Business and Networking. He is responsible for our coverage of networking, and of services and software targeted at the unique needs of smaller businesses. As former Technical Director, Networking for PC Magazine, he just can't get these products out of his blood. Rob has written three books and num... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.